dcrat | 1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe
Size

1.3MB
MD5

8602a55edec3889558030387bc232e0e
SHA1

7f7811584231c653e945d57d2ccaa0cfcda24d29
SHA256

1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3
SHA512

0be96ad32cb92f23fb144cba6d8f5477ac7e5b3dab26bbff76ba15f87c46ceb1ce9c91a2bed80bbde6f802aca8e0d2c3eea5d4608095f85e290e69d371ef6ef0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	4944	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	4944	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b9d-10.dat	dcrat
behavioral2/memory/2700-13-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3408	powershell.exe
1632	powershell.exe
2376	powershell.exe
4872	powershell.exe
452	powershell.exe
3648	powershell.exe
2036	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 16 IoCs

pid	Process
2700	DllCommonsvc.exe
3304	unsecapp.exe
1960	unsecapp.exe
3840	unsecapp.exe
4156	unsecapp.exe
4744	unsecapp.exe
3668	unsecapp.exe
3212	unsecapp.exe
2128	unsecapp.exe
3872	unsecapp.exe
220	unsecapp.exe
2568	unsecapp.exe
4936	unsecapp.exe
1476	unsecapp.exe
1460	unsecapp.exe
2472	unsecapp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
54	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
48	raw.githubusercontent.com
53	raw.githubusercontent.com
56	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com
25	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
55	raw.githubusercontent.com
34	raw.githubusercontent.com
42	raw.githubusercontent.com
43	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\29c1c3cc0f7685	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\e6c9b481da804f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4604	schtasks.exe
4980	schtasks.exe
5020	schtasks.exe
740	schtasks.exe
3212	schtasks.exe
2140	schtasks.exe
2336	schtasks.exe
3908	schtasks.exe
1188	schtasks.exe
2780	schtasks.exe
2288	schtasks.exe
1116	schtasks.exe
4168	schtasks.exe
1988	schtasks.exe
3748	schtasks.exe
2028	schtasks.exe
4176	schtasks.exe
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2700	DllCommonsvc.exe
2376	powershell.exe
1632	powershell.exe
4872	powershell.exe
2036	powershell.exe
3648	powershell.exe
2036	powershell.exe
452	powershell.exe
3408	powershell.exe
3408	powershell.exe
3304	unsecapp.exe
2376	powershell.exe
1632	powershell.exe
4872	powershell.exe
3648	powershell.exe
452	powershell.exe
1960	unsecapp.exe
3840	unsecapp.exe
4156	unsecapp.exe
4744	unsecapp.exe
3668	unsecapp.exe
3212	unsecapp.exe
2128	unsecapp.exe
3872	unsecapp.exe
220	unsecapp.exe
2568	unsecapp.exe
4936	unsecapp.exe
1476	unsecapp.exe
1460	unsecapp.exe
2472	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	DllCommonsvc.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	3304	unsecapp.exe
Token: SeDebugPrivilege	1960	unsecapp.exe
Token: SeDebugPrivilege	3840	unsecapp.exe
Token: SeDebugPrivilege	4156	unsecapp.exe
Token: SeDebugPrivilege	4744	unsecapp.exe
Token: SeDebugPrivilege	3668	unsecapp.exe
Token: SeDebugPrivilege	3212	unsecapp.exe
Token: SeDebugPrivilege	2128	unsecapp.exe
Token: SeDebugPrivilege	3872	unsecapp.exe
Token: SeDebugPrivilege	220	unsecapp.exe
Token: SeDebugPrivilege	2568	unsecapp.exe
Token: SeDebugPrivilege	4936	unsecapp.exe
Token: SeDebugPrivilege	1476	unsecapp.exe
Token: SeDebugPrivilege	1460	unsecapp.exe
Token: SeDebugPrivilege	2472	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2408	5092	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe	82
PID 5092 wrote to memory of 2408	5092	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe	82
PID 5092 wrote to memory of 2408	5092	JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe	82
PID 2408 wrote to memory of 4868	2408	WScript.exe	83
PID 2408 wrote to memory of 4868	2408	WScript.exe	83
PID 2408 wrote to memory of 4868	2408	WScript.exe	83
PID 4868 wrote to memory of 2700	4868	cmd.exe	85
PID 4868 wrote to memory of 2700	4868	cmd.exe	85
PID 2700 wrote to memory of 452	2700	DllCommonsvc.exe	105
PID 2700 wrote to memory of 452	2700	DllCommonsvc.exe	105
PID 2700 wrote to memory of 3648	2700	DllCommonsvc.exe	106
PID 2700 wrote to memory of 3648	2700	DllCommonsvc.exe	106
PID 2700 wrote to memory of 2036	2700	DllCommonsvc.exe	107
PID 2700 wrote to memory of 2036	2700	DllCommonsvc.exe	107
PID 2700 wrote to memory of 3408	2700	DllCommonsvc.exe	108
PID 2700 wrote to memory of 3408	2700	DllCommonsvc.exe	108
PID 2700 wrote to memory of 1632	2700	DllCommonsvc.exe	109
PID 2700 wrote to memory of 1632	2700	DllCommonsvc.exe	109
PID 2700 wrote to memory of 2376	2700	DllCommonsvc.exe	110
PID 2700 wrote to memory of 2376	2700	DllCommonsvc.exe	110
PID 2700 wrote to memory of 4872	2700	DllCommonsvc.exe	111
PID 2700 wrote to memory of 4872	2700	DllCommonsvc.exe	111
PID 2700 wrote to memory of 3304	2700	DllCommonsvc.exe	119
PID 2700 wrote to memory of 3304	2700	DllCommonsvc.exe	119
PID 3304 wrote to memory of 1988	3304	unsecapp.exe	123
PID 3304 wrote to memory of 1988	3304	unsecapp.exe	123
PID 1988 wrote to memory of 2492	1988	cmd.exe	125
PID 1988 wrote to memory of 2492	1988	cmd.exe	125
PID 1988 wrote to memory of 1960	1988	cmd.exe	127
PID 1988 wrote to memory of 1960	1988	cmd.exe	127
PID 1960 wrote to memory of 972	1960	unsecapp.exe	130
PID 1960 wrote to memory of 972	1960	unsecapp.exe	130
PID 972 wrote to memory of 3988	972	cmd.exe	132
PID 972 wrote to memory of 3988	972	cmd.exe	132
PID 972 wrote to memory of 3840	972	cmd.exe	133
PID 972 wrote to memory of 3840	972	cmd.exe	133
PID 3840 wrote to memory of 4652	3840	unsecapp.exe	135
PID 3840 wrote to memory of 4652	3840	unsecapp.exe	135
PID 4652 wrote to memory of 3224	4652	cmd.exe	137
PID 4652 wrote to memory of 3224	4652	cmd.exe	137
PID 4652 wrote to memory of 4156	4652	cmd.exe	139
PID 4652 wrote to memory of 4156	4652	cmd.exe	139
PID 4156 wrote to memory of 4968	4156	unsecapp.exe	140
PID 4156 wrote to memory of 4968	4156	unsecapp.exe	140
PID 4968 wrote to memory of 3408	4968	cmd.exe	142
PID 4968 wrote to memory of 3408	4968	cmd.exe	142
PID 4968 wrote to memory of 4744	4968	cmd.exe	143
PID 4968 wrote to memory of 4744	4968	cmd.exe	143
PID 4744 wrote to memory of 3156	4744	unsecapp.exe	144
PID 4744 wrote to memory of 3156	4744	unsecapp.exe	144
PID 3156 wrote to memory of 4896	3156	cmd.exe	146
PID 3156 wrote to memory of 4896	3156	cmd.exe	146
PID 3156 wrote to memory of 3668	3156	cmd.exe	147
PID 3156 wrote to memory of 3668	3156	cmd.exe	147
PID 3668 wrote to memory of 3804	3668	unsecapp.exe	148
PID 3668 wrote to memory of 3804	3668	unsecapp.exe	148
PID 3804 wrote to memory of 2036	3804	cmd.exe	150
PID 3804 wrote to memory of 2036	3804	cmd.exe	150
PID 3804 wrote to memory of 3212	3804	cmd.exe	151
PID 3804 wrote to memory of 3212	3804	cmd.exe	151
PID 3212 wrote to memory of 3608	3212	unsecapp.exe	152
PID 3212 wrote to memory of 3608	3212	unsecapp.exe	152
PID 3608 wrote to memory of 1220	3608	cmd.exe	154
PID 3608 wrote to memory of 1220	3608	cmd.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1598525730f0659968e647197ebae351bbf2286bd07de4eb753523311a2385d3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
    - - C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2492
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3988
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3224
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3408
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4896
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2036
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1220
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        20⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4296
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        22⤵
        
        PID:936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1400
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"
        24⤵
        
        PID:1824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3312
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
        26⤵
        
        PID:4156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2652
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        28⤵
        
        PID:3972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4892
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
        30⤵
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2292
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        32⤵
        
        PID:5052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2412
        
        C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe"
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\providercommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

Filesize
224B

MD5
2f7325fcc757336a58ce498e4eb71a9f

SHA1
72c9ffa898c015dbd658e2e10419c159b9781a2a

SHA256
50b7a17fcf0297818d6ab6df11d2923a3e879e1ed62ae1dab1499c7c01fd879e

SHA512
20a7e689cb8bad1cdaf12c8f8ce57726bf287b11541230e357ee43d16eb768588eea87766de0d57ee274bb0744920b5f0f8e69d3e225a77dfc202652af09648e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

Filesize
224B

MD5
8466ee07932ce23b4850cabf50ac0c74

SHA1
8a9ea383f52717f8007f3ef2d79e7e2d00846279

SHA256
f86cb53b7a9b60f9c1cb54b8502a6ef603b8281e7ec8f5078339b6a94d4c0e4e

SHA512
e7a427ab9d6968f740f39decd6d9c9259a0f91e08e821db511c6a50d7d81e6f20f13d64b99d6f70e2f23d62d589e5a63ee05a6382a65c5e0e521db8468f542d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

Filesize
224B

MD5
86ca4e8db22972a78ea437eab03036a8

SHA1
771e973e6e3266ef1d18a3729943c8b72291096e

SHA256
1cdaa6b0eb13242a14f2b8dc36feea7ec897fb5b810a44576be09e9e0b59e454

SHA512
d0b56e05a7d343f7434e65a590ef229cf5275240772b0f3652e561c7ddee4567d050629fbb5e56ab62c9e29a1e65a9507a539eb424a0aa6119a656897b3c7799

Download Submit
C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat

Filesize
224B

MD5
dd39c51dc861872b15e9a2358676a7f9

SHA1
1df0dea1d3229326d714c0488b7229ac15f25bc6

SHA256
28119d6d48476cdb17a3767427d2dade387d75426ac1ae2bc6d473123d3830fb

SHA512
6d079c7f2a42f04d46ff56586ec7027df6068ba46c0de2b4548b78c4378651ea332c69d7828fdb0077387f47e19910d762af8aea46d619a3c3ec48079495ad22

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat

Filesize
224B

MD5
c289da981682e1f8d3e7c43a87422265

SHA1
5ff045f46855ce25a3163fe99405b945708e843c

SHA256
a16f9b3e2a684b879385d79e4a3e1d17de8a7e757bb35973a65b49e9ce9a7d38

SHA512
1a1ad20a90176085dcbcb9969063cb7282fd152b729b0aed82fc70567729cc622996299b9507ee55d492eadedf858cc7b2cf68ed2dc49db1e57f60f576f484a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

Filesize
224B

MD5
e2a99dbb54f225cf183be943b9a10735

SHA1
5072cded265624c0293f00ff53b6ec2026b20b6b

SHA256
d8fecd73e6ed7bb1ee8d837bf8dee272712b9ed7805204b2a1e73b4f8f5e1fa6

SHA512
bf8fdb3788966aa2a22ae3fb5663dc53453c4cad967abdcca3dea9ea5bb15a1e3de4be4eabfcdab2607fec5faa18136dc834023c909730b10676643251746e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
224B

MD5
6780b84714ad28111a591cf834715189

SHA1
2f95ea7ca1345809649bf8862b03d6e0d5e9d81b

SHA256
296ec739e2f4231a0bf2b3b985a278dc655c4804afd4f34abe295b0ee2ac207f

SHA512
40cf22967d174e939d094417ec6f7e824179868694db3fcce011bdd15721dd6becfae1a341e62a89c212cbbc7bd18a7cf003594b147981bf00849fff2a763e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat

Filesize
224B

MD5
434d64a327a7ecd91adf990ae4bef9a6

SHA1
1df45e1bd0b60946f8c019ded990313a47afbd19

SHA256
00b4b6cc8d450505ce34b2f7d56b09579f998d06878e12edba06e10cb5c15759

SHA512
d011e80b2993d784f6291ed599dbb9bc70e284de3f9dbf38dfca5e249d50b61b8c955ded52c1bbb8cd46b7eac8518736f41e9fd5209f37051fc11a78fa7df72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

Filesize
224B

MD5
da7916f22652160451f949f37e20e0cd

SHA1
c72d7d40cc3f6c7c22a4ec81da258bbbff17e7a3

SHA256
b15ef5a93e5db2a50a01a8fcb855ec2b7aba926886be6c55ac7d0c030fd24e07

SHA512
fb8f7d35ebbe245b9c88d25a55a85e1563dba00f1f506dab3cd9d0d3b1824a2263043b5bb41b0782a2b80e037ee98061619810efda0791221bccbda7c4edb9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hze5l2zc.rxh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

Filesize
224B

MD5
fc48dbc224890abbe26d5e038997cf0b

SHA1
a29611937647b4cf998722692698bf29f248e107

SHA256
921151562894ef8027c16d0a2a1d59050d33d1dd69e16c7c53d5f1644c7d4624

SHA512
1bcb38a30a67e819f7babe25a7bff5d34c565b0f94eb0d4a090e93e1697c4e27ea372cf0d9ff59083812c51ba46d5050f4163d6f7097a5e03bf073bc766f4ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat

Filesize
224B

MD5
a3fe32a624b0642a2daaf36ccb61da9b

SHA1
e3d8868465b682bae75f50c51045b7fcc529fe09

SHA256
b73eb6f408095447c0e8c960730f2cb43c70e3fca29a867319b22b35ef5a8f57

SHA512
754cd52993c0a35f8f2d317360ab2c7b88e7d58341abe98049a80287ff842aa02c5acdbd16f93578ff6251fea9f448a8c673ed5145791860c17c9d2dc8a33030

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/220-182-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/1960-129-0x0000000003280000-0x0000000003292000-memory.dmp

Filesize
72KB

Download
memory/2376-48-0x0000017EA05B0000-0x0000017EA05D2000-memory.dmp

Filesize
136KB

Download
memory/2700-17-0x000000001B040000-0x000000001B04C000-memory.dmp

Filesize
48KB

Download
memory/2700-16-0x000000001AF20000-0x000000001AF2C000-memory.dmp

Filesize
48KB

Download
memory/2700-15-0x000000001B050000-0x000000001B05C000-memory.dmp

Filesize
48KB

Download
memory/2700-14-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/2700-13-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2700-12-0x00007FFD9C1F3000-0x00007FFD9C1F5000-memory.dmp

Filesize
8KB

Download
memory/3212-163-0x00000000013E0000-0x00000000013F2000-memory.dmp

Filesize
72KB

Download
memory/3304-105-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/3668-156-0x00000000014A0000-0x00000000014B2000-memory.dmp

Filesize
72KB

Download
memory/3840-136-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/4744-149-0x00000000011E0000-0x00000000011F2000-memory.dmp

Filesize
72KB

Download